fix(uptime): allow RFC 1918 IPs for admin-configured monitors

[Wikid82]

Problem

HTTP/HTTPS uptime monitors targeting LAN addresses (192.168.x.x, 10.x.x.x, 172.16.x.x) permanently reported "down" on fresh installs. The root cause: SSRF protection operates at two independent checkpoints — the URL validator (DNS-resolution phase) and the safe dialer (TCP-connect phase). Fixing only one layer still blocks the connection at the other.

Fixes issues 6 and 7 from the fresh-install bug report.

Solution

Add a WithAllowRFC1918() functional option to both protection layers and pass it from uptime_service.go to both simultaneously. The option is off by default — no other call site is affected.

RFC 1918 scope (strict)

Only the three canonical private ranges are permitted when the option is active:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

Still unconditionally blocked:

• 169.254.0.0/16 — link-local / cloud metadata (including 169.254.169.254)
• Loopback (127.0.0.0/8) — unless WithAllowLocalhost() is also set
• All other private/reserved ranges

Changes

File	Change
backend/internal/network/safeclient.go	IsRFC1918() predicate; AllowRFC1918 field + WithAllowRFC1918() option; safeDialer bypass in both validation and selection loops
backend/internal/security/url_validator.go	AllowRFC1918 field + WithAllowRFC1918() option; Phase 4 private-IP loop bypass for both IPv4-mapped and plain IPv6 addresses
backend/internal/services/uptime_service.go	WithAllowRFC1918() passed to both ValidateExternalURL and NewSafeHTTPClient with a coordinating comment

Tests

21 new tests across 3 packages (92.1% / 94.1% / 86.0% coverage):

• TestIsRFC1918_* — comprehensive predicate coverage including boundary addresses, nil input, IPv4-mapped IPv6
• TestSafeDialer_AllowRFC1918_* — direct dial to 192.168.1.1, metadata still blocked, loopback still blocked
• TestValidateExternalURL_WithAllowRFC1918_* — all three ranges permitted; metadata and loopback still rejected
• TestValidateExternalURL_RFC1918BlockedByDefault — regression guard: confirms RFC 1918 is blocked when option is absent
• TestCheckMonitor_* — uptime service integration tests

Security

• 169.254.169.254 protection preserved — falls through RFC 1918 check (not in CIDRs) and hits the cloud-metadata error path unchanged
• IsRFC1918(nil) returns false — nil-safe
• All 7 other ValidateExternalURL call sites are untouched
• AllowRFC1918 defaults to false — no behaviour change without explicit opt-in
• The bypass requires a valid admin session (RequireManagementAccess()) to configure a monitor

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

✅ Supply Chain Verification Results

✅ PASSED

📦 SBOM Summary

• Components: 1483

🔍 Vulnerability Scan

Severity	Count
🔴 Critical	0
🟠 High	0
🟡 Medium	4
🟢 Low	2
Total	8

📎 Artifacts

• SBOM (CycloneDX JSON) and Grype results available in workflow artifacts

---

_{Generated by Supply Chain Verification workflow • View Details}

[codecov]

Codecov Report

❌ Patch coverage is 91.48936% with 4 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
backend/internal/network/safeclient.go	92.30%	1 Missing and 1 partial ⚠️
backend/internal/security/url_validator.go	80.00%	1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Enables admin-configured uptime monitors to target RFC 1918 private IP ranges by adding an explicit opt-in (WithAllowRFC1918) to both SSRF enforcement layers (URL validation + dial-time guard), plus accompanying unit/integration tests and documentation.

Changes:

• Add AllowRFC1918 + WithAllowRFC1918() to both internal/security URL validation and internal/network safe dialer logic (with shared network.IsRFC1918 predicate).
• Wire the option through UptimeService.checkMonitor for HTTP/HTTPS monitors (dual-layer relaxation).
• Add tests for RFC 1918 behavior across network/security/services and update planning/QA docs.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
backend/internal/network/safeclient.go	Adds IsRFC1918, option flag, and safe dialer bypass/selection behavior for RFC 1918.
backend/internal/security/url_validator.go	Adds AllowRFC1918 config + option and skips private-IP blocking for RFC 1918 when enabled (including IPv4-mapped IPv6 handling).
backend/internal/services/uptime_service.go	Passes WithAllowRFC1918() to both validator and safe HTTP client; documents rationale.
backend/internal/network/safeclient_test.go	Adds RFC 1918 predicate and safe dialer/client tests.
backend/internal/security/url_validator_test.go	Adds RFC 1918 validation option tests (including mapped IPv6 cases).
backend/internal/services/uptime_service_test.go	Adds integration tests for monitor checks.
docs/plans/current_spec.md	Documents the implementation plan, invariants, and test plan.
docs/reports/qa_report_pr3.md	Adds QA/security report for PR-3 verification steps and outcomes.
.github/workflows/auto-changelog.yml	Updates pinned release-drafter action SHA.

---

You can also share your feedback on Copilot code review. Take the survey.